CASL Regulations

The following is the letter I sent to Industry Canada in response to the recent publication of the draft Electronic Commerce Protection Regulations. As you will see, while I think the legislation will be of great benefit to both individual Canadians and businesses, greater attention need to be paid to avoiding situations where persons who are legitimately pursuing relationship-based electronic commerce face unjustifiable exposure to significant legal risks.

I have identified four principal concerns, all of which can be dealt with my a more generous approach to the crafting of the regulations:

The application of CASL to messages sent from Canada to recipients in foreign jurisdictions, even where the messages conform to all legal requirements in the jurisdiction in which the message is received and meant to be acted upon;

The failure to exempt purely transactional or factual messages sent in the course of a business relationship from the mandatory unsubscribe mechanism: a failure that exposes both business and consumers to unnecessary and unwarranted legal risks;

The failure to recognise existing PIPEDA consents during a the three year phase-in period in which existing business relationships are grandfathered;

The application of the full weight of CASL to rules based closed and proprietary networks.

Let us hope that Industry Canada will respond meaningfully to the concerns others and I continue to have with respect to the parsimonious approach adopted thus far toward the legitimate concerns of business.

I am writing in my personal capacity as a concerned observer to offer my suggestions for changes to the draft regulations for Canada’s Anti-Spam Legislation (CASL), the Electronic Commerce Protection Regulations, that were published in the Canada Gazette, Part I, dated January 5, 2012 (http://gazette.gc.ca/rp-pr/p1/2013/2013-01-05/pdf/g1-14701.pdf).

CASL combats three threats to users of the internet:

unwanted commercial electronic messages (spam)(section 6)

the alteration of transmission data (routing hacking)(section 7)

unwanted computer programs (malware, spyware, viruses)(section 8)

In these remarks, I will restrict my comments to issues arising from the regulations that deal with commercial electronic issues.

CASL takes an expansive approach to defining commercial electronic messages, as well as of commercial activity. That expansive approach results in many more messages being captured as spam than were intended – or that are captured in similar legislation in our economic partners. Parliament retained the expansive definitions of “commercial electronic messages” and “commercial activity”, but added provisions that permitted the government to exempt classes of messages from some or all of the provisions of section 6.

While the first draft of the regulations, published in the spring of 2011, took a very limited approach to exemptions, the public reaction to the first draft regulations led to the adoption of further exemptions that are found in the second draft of the regulations published January 4. The changes introduced by the government are welcome and positive, but, in my view, must be further built upon to ensure that CASL provides reasonable protection from abusers of electronic systems while creating the conditions in which online commerce will thrive and realise its transformative possibilities to reduce costs and increase efficiencies in the Canadian economy.

Section 3 of CASL spells out the purpose of the legislation. It thus provides the litmus test as to whether a class of commercial electronic messages poses a risk of the kinds of harm that are addressed in section 3. It is my view that, while the draft regulations have provided some very necessary relief to important users of electronic messaging, the government could have gone further without compromising the integrity of the legislative scheme. Indeed, the government missed a major opportunity to strengthen electronic commerce by taking a more aggressive approach to exempting further classes of messages.

In my view there are several classes of messages that should either be exempted from the application of CASL, or relieved of the requirement that the message contain an unsubscribe mechanism. In the following paragraphs I will outline what I see as the major areas where the government should take further action.

1. Commercial Messages sent from Canada

Canadian banks and financial institutions are a major presence in foreign markets. The strengthening of the Canadian dollar, the fall in the share value of many major competitors, and the historic relationship between Canadian banks and the West Indies means that consumers and businesses in many foreign jurisdictions do their banking with Canadian financial institutions, their subsidiaries or affiliates. It would appear logical that, in dealing with off shore customers – wherever those may be found, Canadian institutions should be in compliance with the laws of the jurisdiction in which they service their clients. However, CASL covers all commercial electronic messages sent from Canada, and subjects those messages to CASL – even where the messages comply with all legal requirements of the recipient’s country.

As a consequence, the extra territorial reach of CASL has the following unintended effects:

it imposes compliance costs on companies doing business from Canada that do not have to be met by their competitors in those markets;

it exposes Canadian companies to both administrative monetary penalties and class actions that are not faced by their competitors;

it requires dual compliance with local and Canadian law (with Canadian law trumping in the event of a conflict); and,

it encourages Canadian companies to move their back office operations (and well-paying jobs) from Canada to jurisdictions where CASL will not have application.

Clearly the application of CASL to messages that are compliant with local laws impacts the competitiveness of Canadian businesses who operate in foreign jurisdictions. At the same time, the measure contributes nothing to the protection of Canadian residents. In effect, the approach taken in CASL treats foreign jurisdictions paternalistically in applying Canadian law – even where that jurisdiction has a domestic anti-spam regime (such as the United States and the countries making up the European Union) .

Commercial electronic messages sent into a foreign jurisdiction that comply with the legal requirements of that foreign jurisdiction should be exempt from the requirements of CASL.

2. Excessive and Confusing Unsubscribe Mechanisms

In subsection 6(6), CASL sets out classes of messages that are exempt from the requirement of express or implied consent. The messages described in subsection 6(6) are all ones that arise from a relationship between the sender and the recipient: the completion of a transaction that is in progress; statements of account; information on employment benefits; information on subscriptions. In many cases the relationships are long term, most are voluntary relationships, and the messages are critical to informing the recipients of matters of financial or legal consequence to them.

While the messages described in subsection 6(6) are critical to the success of the relationship between sender and recipient, CASL subjects such messages to the requirement that they contain an unsubscribe mechanism.

It appears to me that this requirement raises at least two key issues:

Recipients will find the significance of an unsubscribe mechanism confusing.If, for instance, an individual has subscribed to a cheese-of-the-month club, and agreed to purchase a minimum number of cheeses from the list of selections that is sent monthly by email to the subscriber, what meaning must be attributed to the subscriber who exercises the unsubscribe mechanism:

Is the subscriber reneging on their contract to receive cheese?

Does the subscriber merely wish not to receive the list of selections electronically?

What if the “club” only operates electronically?In these circumstances, the presence of the unsubscribe mechanism is both confusing and hurtful to the relationship between sender and recipient. In permitting subscribers to unsubscribe, CASL:

detracts from the beneficial and cost effective relations that exist between sender and recipient;

imposes costs on business that are not justified by a commensurate protection for recipients;

interferes with contractual relations between businesses and their clients;

forces businesses to adopt business models that may be impossible to operate profitably;

undermines confidence in relations between businesses and their customers.

It is, I think, clear that the artificial requirement that subsection 6(6) messages contain an unsubscribe mechanism is a sure path to creating uncertainty and hesitancy in relying upon electronic communications to provide straight forward information relating to contractual or commercial relations. Against this, there is no protective effect offered by the redundant unsubscribe. The introductory words of subsection 6(6) already provide that the messages described must not contain promotional and advertising messages: subsection 6(6) messages are restricted to information that arises from an existing relationship. It is difficult to see how it can be argued that requiring an unsubscribe mechanism in those messages will do anything to protect recipients from messages that pose the kinds of harm that are addressed in section 3 of CASL.

The application of the CASL unsubscribe mechanism to the operation of contracts in general, and with consumers in particular, is a intrusion into provincial jurisdiction with respect to property and civil rights and may be at cross purposes with provincial consumer protection legislation effects a proper balance between businesses and consumers. If, under provincial law, parties can be bound by contract as to the form in which they receive communications from the persons with whom they do business (e.g. notice is required to be given electronically), then the requirement that a functional unsubscribe be provided in those communications would seem to interfere with the lawfulness of the underlying contractual terms. This is surely an unintended consequence of CASL – one that can be avoided by adopting a minor modification to the regulations.In the example given, respecting notice provisions, an unsubscribe from someone seeking to avoid his creditors or to avoid the crystallisation of legal rights is given a federally legislated tool for avoiding the invocation of legal rights. This is a very misplaced exercise of federal legislative power. Notice is the mechanism for bringing legal rights to the point where action can be taken to enforce those rights. If, for instance, an individual unsubscribes from statements of account before, say, final notice of default is given, then the individual can certainly slow – if not arrest – the triggering of legal enforcement.It is not enough to point to the proposed paragraph 3(d) of the draft regulations. The remedial actions set out in that provision may be dependent on a prior notice having been given. The giving of that notice may have been forestalled by the strategic exercise of an unsubscribe mechanism.The frustration of contractual rights has never been a purpose of CASL. It is an unintended consequence of the wording of subsection 6(6). Parliament has given the government the means, by regulation, to remedy this undesirable outcome and restore to contracting parties the right to specify and be bound by their private bargains.The regulations should exempt subsection 6(6) messages from the requirement that they contain an unsubscribe mechanism.

3. PIPEDA Consents

Transitional provisions in CASL (section 66) provide that where the sender and recipient have an existing business relationship (defined in subsection 10(10)), senders of commercial electronic messages have three years from the entry into force of the Act in which to obtain CASL compliant consent to the receipt of commercial electronic messages.

The consent provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) are slightly less onerous than those of CASL. Businesses that have invested the time, effort and money to build emailing lists that are compliant with PIPEDA may not have obtained those consents in a manner consistent with CASL, but were in conformity with PIPEDA. The concept of “existing business relationship” was introduced into Canadian law as an implied consent to communication in the telemarketing provisions of the Telecommunications Act. Those provisions applied only to telemarketing, so that other PIPEDA compliant companies operating on other technological platforms had no reason to record the specific manner in which a PIPEDA compliant consent was obtained. In other words, it cannot be expected that any organisation will have organised its mailing lists in a manner that specified if the consent relies on an existing business relationship, or some other implied consent that is effective for PIPEDA.

At issue here are compliance costs.

Given that the concept of existing business relationship was unknown to online commerce before the passage of CASL, the immediate impact will be to force all list holders to either:

scrub their lists by examining the details of how consent was received (a task that may not be at all easy and requiring intensive input of human resources);

obtain new consents immediately from their recipients (which would be burdensome to subscribers who may in a short period receive multiple requests to affirm consent from different organisations seeking to be CASL compliant); or,

jettison their existing mailing lists and rebuild them from scratch.

No matter which method is adopted by senders, the immediate costs of CASL compliance are compounded in a manner that serves no serious purpose.

No benefit to consumers is gained by restricting the transition period to implied consents through the existing business relationship. There is no reason why existing business relationships should be favoured over other forms of implied consent.

The failure to act on the inequitable disparity between existing business relationships and other types of implied consent serves no discernible purpose and imposes unjustifiable compliance costs on business.

By adding an exemption by regulation under paragraph 5(c) of CASL, limited to three years so as to parallel the provisions of section 66, the government would avoid imposing unnecessary up-front costs on businesses, while rewarding those who have built their business lists in a manner compliant with PIPEDA.

4. Closed and Proprietary Networks

It remains a concern that the government continues to neglect the distinction that can be made between messages sent broadly to the public and messages that arise through voluntary relationships. This is exemplified in the decision not to grant an exemption for commercial electronic messages received on proprietary or closed networks.

In the case of proprietary systems, the recipient is making use of a network or virtual private network owned or controlled by the sender of the message (e.g. major banks, airlines, and other online service providers). In such cases, the behaviour of the sender is tempered by the need to maintain the good will of its clientele. The key factor is that the sender and recipient are already in a relationship – one that the client can control by taking their business elsewhere if the recipient finds the burden of commercial messages too onerous. It takes effort to change a service provider, but the disciplines for annoying behaviour is lost business – a factor over which the recipient is in control.

The same is true of messages over closed networks (e.g. Blackberry messenger, Linked-In). So long as the recipient has control over who can send commercial electronic messages to them, and can effectively block messages from persons whose messages are unwanted, it would seem consistent with the objectives of CASL that such messages be controlled by private arrangements rather than a broad statute of general application that makes no distinction between messages sent to email or similar accounts over the internet, and those sent within the confines of a rules-based voluntary relationship.

It must be remembered that, while the scope of CASL is necessarily broad, its purposes are narrow. True spam is not based on an ongoing relationship between sender and recipient: it is a one-sided communication over which the recipient has no control. From the recipient’s point of view, the communication is involuntary, and the receipt of further messages is outside the control of the recipient. Where the sending of a commercial electronic message does not raise concerns that are addressed in the purposes set out in section 3 of CASL, the onus should be on the government to exempt such activity to the extent possible under the legislation.

The sanctions for non-compliance are potentially so onerous, and the remedies available are in many cases not subject to administrative discretion exercised by a responsible enforcement agency, that the objective of encouraging electronic commerce should favour the minimisation of exposure to those who are actually engaged in the kinds of long-term relationships that foster and encourage online commerce and provide effective protection for those engaged in those activities. In short, the government is in danger of losing sight of the forest for the trees.

It is recommended that the government provide exemption for commercial electronic messages sent over proprietary networks or closed networks that permit the recipient to control from whom they receive electronic messages.

I wish to thank you in advance for your consideration of these remarks.

CASL is very welcome legislation, and can do much to protect consumers and businesses from very real harms. However, every effort must be made to ensure that the unintended consequences of CASL do not erode Canada’s competitiveness or detract from the benefits Canadians can expect from electronic commerce.